InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FINRA alleges firm failed to enforce supervisory procedures related to outside business activities
On July 12, FINRA accepted a Letter of Acceptance, Waiver, and Consent from a broker-dealer alleging that it did not enforce its written supervisory procedures related to outside business activities of its registered representatives. FINRA alleged that from April 2021 to March 2023, the broker-dealer failed to enforce its supervisory procedures while on notice that three of its employees founded and operated an independent company with two distinct lines of business (e-commerce storefronts and lead generation websites) outside of the scope of their association with the broker-dealer. As a result, FINRA alleged the broker-dealer violated FINRA Rules 3110 and 3270, and issued a censure and assessed a $60,000 fine.
While the broker-dealer maintained supervisory procedures that required certain processes for the written notification and approval of outside business activities, FINRA alleged that the firm did not follow its procedures. FINRA Rule 3110 required each member firm to establish, maintain, and enforce written procedures, and FINRA alleged the broker-dealer failed to enforce them. The broker-dealer was alleged to have also violated FINRA Rule 3270 (which prohibited employees from engaging in an OBA unless they provide prior written notice to the member firm) because it did not require written disclosure of the OBA despite repeatedly receiving new information regarding the employees’ involvement. The three employees terminated their association with the broker-dealer by March 2023; however, during the relevant time period, hundreds of customers purchased $33 million in goods and services from the employees’ OBA.
SEC to issue second rounds of NPRM for RIA custody rule and AI rule
On July 8, the SEC issued a statement on the Spring 2024 Regulatory Agenda from Chair Gary Gensler. Notably, the SEC updated two rules that will be slated for a second round of proposed rulemaking. First, the SEC will consider reproposing amendments or new rules under the Investment Advisors Act of 1940 to “improve and modernize the regulations on custody of funds or investments of clients by investment advisors.” This NPRM underwent two comment periods and will now see a second NPRM slated on or about October. Second, the SEC will consider new rules on potential conflicts affecting broker-dealers and investment advisers while using predictive data analytics, artificial intelligence, and machine learning. The SEC signaled it will commence a second NPRM in around October, as well. A full Agency Rule List for Spring 2024 can be found here.
In the statement, Chair Gensler stated how, “[i]n every generation since the SEC’s founding 90 years ago, our Commission has updated rules to meet the markets and technologies of the times… to promote the efficiency, integrity, and resiliency of the markets… [using] robust public input regarding proposed rule changes.”
FINRA reminds registered firms of continuing education requirements
On July 12, FINRA reminded registered firms of upcoming continuing education deadlines in an information notice. FINRA noted all registered persons must complete the Regulatory Element of their continuing education as required by FINRA Rule 1240 by December 31. Those failing to do so will be designated as having their continuing education inactive. Firms must develop an annual written training plan to meet the Continuing Education Firm Element requirement. To assist in this, FINRA developed Financial Learning Experience, a content catalog that firms can use to create training programs.
Monitoring continuing education obligations can be done through FINRA Gateway, as well as setting deadlines, and sending automated notifications to registered individuals. FINRA encourages registered individuals and firms to use available resources to comply with continuing education requirements and enhance professional development.
FINRA fines securities firm for failing to use an escrow agent
Recently, FINRA released its letter of acceptance, waiver, and consent (AWC) against a securities firm for allegedly failing to use an escrow agent to custody customer funds. Among other things, the firm deposited investor funds for both offerings into accounts that its registered representative established and controlled, rather than with a bank. According to FINRA, these actions, discovered during a firm examination, violated the Exchange Act § 15(c)(2), Rule 15c2-4 thereunder, and FINRA Rule 2010. The firm further failed to both “promptly return customer funds” when the contingency was not met and changed material terms in its 2020 offering; violating Exchange Act §10(b), Rule 10b-9 thereunder, and FINRA Rule 2010. The firm consented to receiving a censure and a $20,000 fine.
FINRA fines annuity and fund distributor for causing payment of transaction-based compensation to unregistered entity
On July 8, FINRA accepted a firm’s Letter of Acceptance, Waiver, and Consent imposing a censure and a $300,000 fine. The firm is a wholesale distributor of variable insurance products and mutual funds. Between March 2018 and September 2019, FINRA alleged that the firm caused around $2.9 million in compensation to be paid to an unregistered entity. More specifically, according to the AWC, the Firm had paid around $8.7 million in transaction-based compensation to an unaffiliated selling broker-dealer concerning the sale of variable life insurance, a securities product. Of that, FINRA alleges that the Firm directed the unaffiliated broker-dealer to direct $2.9 million to an LLC that was not affiliated with the firm and that was not a FINRA member. As a result, FINRA alleged that the firm violated FINRA Rule 2040 which prohibits FINRA members from paying transaction-based compensation to any person not registered as a broker-dealer if receipt of such payment would require such person to register as such.
FINRA fines firm for excess commission charges
Recently, FINRA released a Letter of Acceptance, Waiver and Consent (AWC) against a securities firm for two alleged violative conducts from August 2018 to September 2022. First, FINRA alleged that the firm charged an unfair commission of at least $100 on 1,683 equity transactions. FINRA also alleges that the firm failed to maintain a supervisory system designed to monitor for unfair commissions, which engendered the unfair commissions, in violation of FINRA Rules 2121, 3110, and 2010. Second, FINRA alleged that the firm failed to file offering documents with FINRA “in connection with 14 private placements,” in violation of FINRA rules 5123 and 2010. In the AWC, the firm agreed to a censure, a fine of $65,000, and a restitution of $69,898.17 plus interest.
SEC files complaint against a digital platform for unregistered offer and sales of securities and acting as unregistered broker
Recently, the SEC released its complaint against a digital platform that acted as an unregistered broker and seller of crypto-asset securities transactions. The SEC alleges that since 2020 the platform brokered over 36 million crypto-asset transactions between investors and third parties, collecting over $250 million in fees. Since at least 2023, the platform allegedly engaged in unregistered offers and sales of securities. The SEC alleged the platform was not registered as a broker despite operating as one in violation of Section 15(a) of the Securities Exchange Act of 1934. Additionally, the SEC alleged the platform also engaged in unregistered offers and sales of securities in violation of Sections 5(a) and (c) of the Securities Act of 1933. Further, the SEC alleged the platform acted as an underwriter and distributor of securities. The SEC seeks (i) to permanently enjoin the platform from violating these securities laws and (ii) payment of civil money penalties.
FINRA fines firm for insufficient ACH monitoring
Recently, FINRA accepted a letter of acceptance, waiver and consent from a brokerage firm to settle alleged rule violations. The settlement concerns a series of unauthorized Automated Clearing House (ACH) transfers from a senior trust customer's brokerage account. Between December 2019 and April 2020, $332,457.73 was allegedly illegally transferred out of the account through 278 ACH transfers initiated by third parties that illegally obtained information relating to a checking feature attached to the consumer’s account.
According to the letter, FINRA Rule 3110(a) mandates that member firms must establish systems to supervise associated persons and reasonably ensure compliance with securities laws, regulations, and FINRA rules, including the responsibility to investigate and act on red flags indicating misconduct. The failure to do so also constitutes a violation of FINRA Rule 2010, which “requires a firm to observe high standards of commercial honor and just and equitable principles of trade in the conduct of its business.”
The respondent firm allegedly failed to maintain an adequate system to review and monitor externally-initiated ACH transfers of consumer funds as their proprietary tool only monitored internally-initiated ACH transfers. As a result, none of the fraudulent transactions were flagged. The respondent firm also failed to identify several red flags in connection with such ACH transfers, including that the transactions were out of character for the customer, the volume of transactions as compared to any other account, and not identifying five fraudulent transactions that were included on an end-of-year report.
Despite these oversights, the bank processing the ACH transfers ultimately credited back all the stolen funds to the customer's account, and the respondent provided information to the bank to support the remediation.
Respondent agreed to a censure and to pay a $225,000 fine.
SEC charges communications company with accounting control failure
On June 18, the SEC issued a cease-and-desist order (order) against a Delaware-based business communication and marketing service provider (respondent) to settle allegations of cybersecurity controls violations related to a 2021 ransomware attack.
According to the order, the SEC alleged respondent did not have adequate controls to ensure cybersecurity incidents were reported to its management and did not respond to alerts indicating unusual network activity in a timely manner. Among other allegations, the order contended that respondent relied on a third-party vendor to review and escalate the large volume of alerts issued by its cybersecurity detection systems but did not implement procedures or controls to effectively confirm that the vendor’s review and escalation of alerts were consistent with the respondent’s expectations. The order noted that respondent cooperated with the investigation, reported the cybersecurity incident promptly, and took steps to enhance its cybersecurity technology and controls. Without admitting the SEC’s allegations, respondent agreed to a $2,125,000 civil money penalty.
Notably, in addition to alleged violation of Exchange Act Rule 13a-15(a) requiring public companies to maintain disclosure controls and procedures designed to ensure timely disclosure of incidents in compliance with the Commission’s rules, the order also alleged that respondent’s failure to design effective procedures to ensure escalation and timely decisions regarding potential security incidents violated Section 13(b)(2)(B) of the Securities Exchange Act of 1934. Section 13(b)(2)(B) required covered companies to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances, among other things, that access to company assets was permitted only in accordance with management’s general or specific authorization.”
In a statement responding to the order, SEC Commissioners Pierce and Uyeda took issue with the Commission’s application Section 13(b)(2)(B). Specifically, the commissioners argued that the requirement to maintain internal accounting controls ensuring “that access to company assets” must be authorized by management and was intended to protect the accuracy of corporate transactions for the use and disposition of assets in transactions. They noted that “[w]hile [respondent’s] computer systems constitute an asset in the sense of being corporate property, computer systems are not the subject of corporate transactions,” and that faulting respondent’s internal accounting controls in the context of a ransomware attack “breaks new ground with its expansive interpretation of what constitutes an asset under Section 13(b)(2)(B)(iii).”
FINRA issues guidance on broker-dealers using generative AI tools
On June 27, FINRA issued Regulatory Notice 24-09 that discussed the implications to broker-dealers in their use of artificial intelligence (AI), including large language models (LLMs) and other generative AI tools. Although FINRA stated that while AI offered broker-dealers opportunities to improve their services and enhance their operational and compliance efficiencies, it also reminded firms that its rules and federal securities laws continue to apply. In discussing use cases, FINRA noted that AI tools can analyze financial data, summarize documents, and assist in investor education, but also raise concerns about accuracy, privacy, bias, and security.
When using these tools, FINRA reminds firms that: (1) they must have appropriate supervisory systems and governance in place, whether those tools are developed in-house or provided by third parties; and (2) they should evaluate AI tools before use to ensure compliance with FINRA rules. FINRA also stated that in some instances, it could issue further guidance for specific use cases. FINRA encouraged firms to seek interpretive guidance where ambiguous rule applications may exist and have ongoing discussions with their Risk Monitoring Analyst.